Gauss: Evidence of Ongoing Cyberwar and Espionage Campaigns

As expected, a new malware for the purposes of cyber espionage was once again identified by the Team of Kaspersky Lab.

After Duqu, Flame and Mahdi, this new cyber-espionage toolkit has been detected in the same region, the Middle East, and like its predecessors it is capable of stealing sensitive data such as online banking credentials, browser passwords and system configurations.

The new agent has been named Gauss, after German mathematician Johann Carl Friedrich Gauss. What is interesting is that it appears to linked to Stuxnet, and the experts believe that it was produced in the same nation-state factories.

Gauss was discovered during an investigation conducted by the International Telecommunication Union (ITU) to mitigate the risks posed by emerging cyber-threats.

Looking at details of the structure of the malware, it appears to be composed of several modules that have internal names which may pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss and Joseph-Louis Lagrange. The core module that implements the data stealing capabilities is called Gauss.

(click image to enlarge)

(click image to enlarge)

Gauss has been detected thanks to the investigation used to identify the Flame malware, and according to the investigators Gauss was been spread on September 2011 and was detected in June 2012.

In July, its command and control infrastructure shut down. What is interesting is that in the same period the CrySyS Lab in Hungary announced the discovery of Duqu. Kaspersky researchers declared:

"We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu."

Kaspersky experts have found debugging info and in some instances detected that details on the paths where the project resides may be the real target of attacks - Lebanon - first because the country registered a high rate of infections (more than 1600 victims) and also because the term "white” in the debugging data.

According to Wikipedia:

“The name Lebanon comes from the Semitic root LBN, meaning "white", likely a reference to the snow-capped Mount Lebanon.”

The shutting down of the C&C doesn't mean that the cyber threat has been definitively decapitated, because is appears to be dormant waiting for servers to become active again.

What is Gauss and what are its main targets?

Gauss is a cyber threat designed primary to monitor online banking accounts and users affected are primarily in the Middle East. The method for spreading the malware is not yet determined, and according to Kaspersky, Gauss is a complex agent, surely a nation-state sponsored cyber-espionage toolkit that has a strong resemblances to Flame.

"The 'Winshell.ocx' module which gives the name to the malware as 'Gauss', steals credentials required to access online banking accounts for several Lebanese banks such as Bank of Beirut, Byblos Bank and Fransabank. This is the first publicly known nation-state sponsored banking Trojan."

(click image to enlarge)

(click image to enlarge)

Kaspersky Lab’s cloud-based security system has detected since late May 2012 more than 2,500 infections that lead them to think that there are probably infections in the tens of thousands, inferior to the Stuxnet diffusion but higher than the number of attacks in Flame and Duqu.

Gauss collects data on victims with the intent to send it to the attackers, and that data can also include network interface information, BIOS characteristics and computer drive details. Its infects USB sticks with a data stealing component that exploits the LNK (CVE-2010-2568) vulnerability, the same used by Stuxnet and Flame.

"At the same time, the process of infecting USB sticks is more intelligent and efficient. Gauss is capable of “disinfecting” the drive under certain circumstances, and uses the removable media to store collected information in a hidden file. The ability to collect information in a hidden file on USB drives exists in Flame as well."

The malware also installs a special font called Palida Narro... this circumstance is curious because in the last few days I noted several tweets, apparently without meanings exchanged between members of the Kaspersky team regarding a Palida Narrow theme.

(click image to enlarge)

At the moment experts are not concerned if the agent exploit is also a zero-day, but are sure that Gauss’ USB data stealing payload contains several encrypted sections which are decrypted with a key derived from certain system properties.

What contains the encrypted payload? The researchers are still analyzing the contents of these mysterious encrypted blocks and trying to break the encryption scheme.

The discovery of Gauss led the experts believe that many other related cyber-espionage malware are actually in operation and more will be developed in the near future.

That's the way to make war, stealing sensitive information of the enemie, in silence over long periods, despite the fact that many experts don't consider it a cyber weapon in the strict sense, as it is in effect employed in military and government spying operations representing an irreplaceable and effective means of attack.

Many ignore the aspect of modularity of these agents which in the future may receive supplementary modules, developed using the info acquired directly on the targets, to conduct attacks against critical infrastructure and centers of vital information.

As declared by the team of Kaspersky:

"The current tensions in the Middle East are just signs of the intensity of these ongoing cyber-war and cyber-espionage campaigns."

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.